Botnet Installing NiceRAT Malware

June 13, 2024, 1:33 p.m.

Description

This analysis discusses the proliferation of botnets constructed through the distribution of malware disguised as legitimate software. These botnets are subsequently leveraged to install additional malware strains, including NiceRAT, a Python-based Remote Access Tool (RAT) capable of collecting system information, browser data, and cryptocurrency wallet details for exfiltration. The report highlights the persistent nature of these botnets, which have been operational since 2019, underscoring the importance of user vigilance when downloading software from untrusted sources.

External References

https://asec.ahnlab.com/en/66790/
https://otx.alienvault.com/pulse/666aeadf93cf3c7172c22f46
Tags
nicerat
2024-06-13

Date

  • Created: June 13, 2024, 12:49 p.m.
  • Published: June 13, 2024, 12:49 p.m.
  • Modified: June 13, 2024, 1:33 p.m.

Indicators

  • fd63d9e4472497071b4101d62c1f3e834d725fca746b89cab12b735c06d4a0f8
  • e4358dfec6b848ffd5cf195a4055a3619c47432170281da3617c7110ec8e9e72
  • d85538af1e2ee590775bcf2d6cdd5b757eb4eded381f9a3d3c94c81a52534035
  • bd3c16d921cec78d48c2cf754c35cba2709ffd6a6d0060448c13e7555a52f2cd
  • a6f0c9651b21dfde3e52b7924b6bfa61bcc506a20bb2bbddc4f89f55e221a29f
  • 944e60676f2c21bfacab34e3f334ebe2a892d4be805acc14fbfcbfccf04a04b4
  • 8e9f7413b29b0d148eb08b28d125059ebe507a58671139191fb9f025c653f9ad
  • 7ab2498402daf3f7474956b601b682ad2b0f52a7a3bc52d1b7b4c9458a39458b
  • 5e2fcbfb7133240712c6de1d075e6e4d82e54b4e9e375bc7bfa4bc3e1d7d667b
  • 358a97499e21af201cb4c310457f730e585824ed8cfb43b09180cd2422ce8bcd
  • 1d10f6c2096d79ec0863a48c13aa6b1b081ae7aef54faf3a54156bff708ce3d2
  • 0ec9008ca4fd463a37d0bdcc6100619d9e28ea2d303951e9e2cb3c0d1446df79
  • f97123d0450c2a436dff3d4e7c674c366833bcbf4f21ebd387dabba8737d1101
  • ebe2488e6a5a5e9512d3751ef6ba7e68c08ac072169cf9af0aed74db1f1ef1b0
  • d58355fed81b0412fb36dff5c210c70b32de67501962df3e350648835e0ae07c
  • b372d5cadca2b0b212e982615fd8df8a31322651a4057afd701dd075e85dd8e4
  • c78b22ec1a704a79847ec30404386253b2b2e48563bb7f55ccb8696cb88c60f0
  • ab5fc09447ea83e7c3f79e8817921eb2170fd2592b8d0f7d03d0934f5dad14e8
  • 787b530fe09cea2be36f78478268eed7dfd62b68b538c62e90f1de1507c8277d
  • 66744784b22d5d1698f9755cdcc226c644aec3a8cd9c551aa7aa5845ed19b614
  • 55f047455519bc3cd96322361a66cd3667293f50811afe16c553382fa443465c
  • 52991b00ba04504a2195d3a12521496170acbc1002176679bf59d3f2890e3d5d
  • 4c25df3edce36c720c3e39d5e3f93ce4035ec7857be76fc4ac9e612168210367
  • 39f06354924b3779b20223a8630a99317786906eb1216e88f2d5f58b3d38cc7f
Download all indicators here!

Attack Patterns

  • NiceRAT
  • T1556.003
  • T1027.004
  • T1021.004
  • T1497.003
  • T1053.005
  • T1497.001
  • T1012
  • T1555
  • T1071.001
  • T1518.001
  • T1489
  • T1082
  • T1083
  • T1570